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Abstract. In this article we present applications of smooth numbers to the 
unconditional derandomization of some well-known integer factoring algorithms. 

We begin with Pollard's p — 1 algorithm, which finds in random polynomial 
time the prime divisors p of an integer n such that p — 1 is smooth. We show 
that these prime factors can be recovered in deterministic polynomial time. 
We further generalize this result to give a partial derandomization of the fc-th 
cyclotomic method of factoring (fc > 2) devised by Bach and Shallit. 

We also investigate reductions of factoring to computing Euler's totient 
function ip. We point out some explicit sets of integers n that are completely 
factorable in deterministic polynomial time given These sets consist, 

roughly speaking, of products of primes p satisfying, with the exception of at 
most two, certain conditions somewhat weaker than the smoothness of p — 1. 
Finally, we prove that O(lnn) oracle queries for values of ip are sufficient to 
completely factor any integer n in less than exp^(l + o(l))(ln n) 3 (In Inn) 3 ^ 
deterministic time. 



1. Introduction 

A fundamental question of algorithmic number theory, in particular, and com- 
plexity theory, in general, asks whether there are computational problems which 
cannot be solved efficiently without the use of randomness. If the answer is no, then 
we would say that every algorithm can be derandomized. The issue surely has a 
philosophical flavour, but above all is essential for the development of mathematics. 
As a rule, derandomization presupposes making the most of the rich mathematical 
structures involved. It gives rise to new ideas, subtle refinements of existing ones, 
or, in the worst case, generates fascinating open problems. One of these problems, 
determining the complexity of primality testing, has been brilliantly solved in [5]: 
primes are recognizable in deterministic polynomial time. 

In this article we present applications of smooth numbers to the unconditional 
derandomization of some well-known integer factoring algorithms. Recall that a 
smooth number is a product of small primes (small relative to, say, n meaning 
polynomial in the size of n). 

In sections 3 and 4 we analyze Pollard's p — 1 method 21j, important both in 
theory and practice [23l[T7]. Pollard's algorithm finds in random polynomial time 
those prime divisors p of an integer n for which p — 1 is smooth. We show that such 
prime factors can be recovered in deterministic polynomial time fcorollarv l4.6p . Let 
us merely indicate the two ingredients of the proof. The first comes from Fiirer 
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[12j . Fellows and Koblitz [TT], and also Konyagin and Pomerance [M]: take small 
integers or, what amounts to the same, small primes to generate a large subgroup 
G of Z*. The second is a novel idea inspired by the Pohlig-Hellman algorithm 
[20] for computing discrete logarithms. Namely, let H be the group generated by 
two elements a and 6 of Z* , both having smooth order. Then given a, b and their 
orders, we can compute a generator of 77 or a nontrivial divisor of n in deterministic 
polynomial time. This result is easily extended by induction to any number of given 
generators for H fcorollarv l4.3p . We apply it with H = G. 

In section 5 we give a partial derandomization of the fc-th cyclotomic method of 
factoring devised by Bach and Shallit [6 . This method is used to find in random 
polynomial time such prime factors p of an integer n that the value at p of the fc-th 
cyclotomic polynomial is smooth. For the reader's convenience, we first treat the 
simpler case k = 2 (theorem 15. corresponding to Williams' p + 1 method [26] . 
then that of an arbitrary fc, /c > 2 ftheorem l5.5p . The arguments involve more than 
the derandomization of the p — 1 algorithm: some elementary algebraic number 
theory and a lemma proved in |27j . 

In the last three sections, we attempt to make some progress on a famous open 
problem: is factoring reducible in deterministic polynomial time to computing Eu- 
ler's totient function (p7 (cf. problem 23 of Ij) 

In section 6 we discuss the current state of the art. Miller [TO] found a reduction 
whose correctness depends on the Extended Riemann Hypothesis (ERH). Rabin 
[22] obtained an unconditional reduction at the cost of giving up determinism. A 
relatively recent result of Burthe [8] yields a reduction for almost all integers, but 
these cannot be simply described. 

In section 7 we point out some explicit sets of integers n that are completely 
factorable in deterministic polynomial time given ip{n) (theorem 17. ip . These sets 
consist, roughly speaking, of products of primes p satisfying, with the exception of 
at most two, certain conditions somewhat weaker than the smoothness of p — 1. 

In section 8 we study the deterministic complexity of factoring given an oracle 
for the function tp. Suppose that we want to factor into primes the integer n. Our 
idea is first to query the oracle for the iterations ip{n), ip'^{n), ip^iji), etc. until 
if'^in) = 1. Then to come back up to the complete factorization of n {n — Lp^{n)) 
by a recursive procedure, which recovers the prime factorization of (p'^^(n) from the 
prime factorization of starting with I — k. We are basically left with the task 

of finding the prime factorization of an integer n given the complete factorization of 
f{n). In the hard case, all the prime divisors of n are congruent to 1 modulo a large 
integer A that we compute; we further retrieve the missing information either by a 
direct search or by factoring the polynomial whose coefficients are the coefficients 
of n in base A (lemma IS.Sp . The resulting algorithm runs in less than expl (1 + 



reducible in deterministic subexponential time to computing ip fcorollarv l8.2p . 



Throughout the text n is an odd integer, and p, q, s are prime numbers. 
The greatest common divisor, respectively the least common multiple, of the inte- 
gers a, b is denoted by (a, b), respectively LCM(a, b). 
We let Vs{m) be the exponent of the highest power of s dividing m. 




deterministic time (theorem l8.ip . Consequently, factoring is 



2. Notation 
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For G a group, B C G, b £ G, we should denote by {B)g the subgroup of G gen- 
erated by B, and denote by ordaib) the order of b in G. However, if G = ZJ, 
respectively G = ljd[\/rn\* , we will just write {B)d and ordd(fo), respectively {B)d,m 
and ordd,m(6). 

The cyclic group with m elements is denoted by Gm- 

The symbol P stands for the set of all prime numbers. We denote by p-{m), re- 
spectively p+(to), the least, respectively the largest, prime dividing m. 
We use Qi to represent the i-th coordinate of a G Z* = • 

q\n 

We recall the definitions of the familiar number-theoretic functions appearing in 
the text: 

(p{m) = #{d < m : {d,m) — 1} (Euler's totient function), 
uj{m) = X] 1 fl{m) = '^p{'^)j 

y) = #{™ < a; : P-h(to) < 2/}- 
We will make frequent use of the following theorem proved in [T3] : 

Theorem 2.1 (Konyagin, Pomerance). If n > A and 2 < (Inn)^ < n, then 
ip{n, (Inn)'^) > n^~^ . 

We will always assume that its hypotheses are satisfied when c is fixed (this is 
natural in the task of factoring n). In the last section another estimation of -ip will 
be applied. 



Theorem 2.2 (Canfield et al.). There is an effective, positive constant G such that 

In X 

Iny 

2' 



for x,y > 1 and u := > 3 we have 



ip{x, y) > xexp 



, , , , In In M — 1 „ / In In M 

-u { ln(7ilnu) - IH h G 

mw V mw 



3. Pollard's p — 1 factoring algorithm 

We first sketch the ideas behind the probabilistic version of Pollard's p — 1 fac- 
torization method. Let n be an odd integer, not a prime power. Assume that we 
are given an integer M such that p — 1 \ M for some p \ n (for the moment we 
do not consider the issue of finding a suitable M). Choose b S Z* . By Fermat's 
little theorem we have b'^ = l{p) and thus d := (6^^ — > 1. If additionally 
d < n, then d is a nontrivial divisor of n. But what if c? = n, i.e. b^^ — 1? We can 
pick another element of Z* . We can also hope to find a nontrivial factor of n in 
— 

the sequence (62' — 1, «);=i,...,t,2(M); as all square roots of 1 in Z* are of the form 
(±1, . . . , ±1) € Z* = • It turns out that the expected number of random 

q\n 

& e Z* needed to split n does not exceed 2. 
Theorem 3.1 (Rabin). Let n be odd, n > 2, M be even, 

T{M) = {6 e Z; : b^' ^ 1}, 

S[M) = {6 e Z; \ T{M) : 3i<,<,,(m) K (6^ - l,n) < n}. 

Then #inMVSiM)) ^ ^ _ ^.-^^n) ^ 
ip{n) - 
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Note that we want not only M to be a multiple of p — 1 for some (a priori 
unknown) p \ n, but also InAf to be relatively small (e.g., bounded by a fixed 
power of Inn), so that raising to the power M (or ^) modulo n does not take too 
much time. Suppose that n has a prime divisor p such that p — 1 is smooth, say 

1) < (Inn)". Set AI = Y[ q^'^'^ . Then M satisfies the two conditions, 

q<{ln n)^ 

since InAf < J2 T^l^q = 7r((lnn)") Inn = 0{^^^^^^^) from Chebyshev's 

g< (In n)^^ 

theorem. By contrast, there is no efficient method of finding M if n is not divisible 
by a prime p as above. 

As before suppose that n is odd, divisible by at least two different primes p and q. 
It is well known that if a multiple M of p — 1 is given, then the previously described 
search for a nontrivial factor of n can be derandomized under the ERH. Without 
loss of generality assume that b^^ = l(n) for all b < 2(lnn)^. 

Theorem 3.2 (Bach). Suppose that the ERH is true. Let n > 3, x &e a nonprin- 
cipal character modulo n. There is an integer b < 2(lnn)^ such that x{b) 7^ 1. 

Using this theorem, we can easily prove the existence of 6 < 2(lnn)^ such that 
for some &2' — 1 is divisible by q or p, but not both. We apply it with x induced 
by the quadratic character ^-^ , (^-^ , (^—^ when V2{p— 1) > 1^2(9— l),i'2(p— 1) < 
1^2(9 - l),i'2(p - 1) = ^2(9 - 1), respectively. 

4. A DETERMINISTIC VARIANT OF POLLARD'S p — I FACTORING ALGORITHM 

Our basic framework is as follows. Let B = {2, 3, . . . , [(Inn)^]}. Assume that we 
are given an integer M together with its complete factorization such that b^^ = 1 (n) 
for every b B. We want to find a simple and not restrictive condition on n 
under which n is factorable in deterministic polynomial time in Inn and In A/. The 
starting point is a reformulation of the primality criterion from . We restate the 
argument for completeness and clarity of exposition. 

Theorem 4.1 (Fellows-Koblitz). Let 6 = {2, 3, ... , [(Inn)^]}, B C Z,* . Then n is 
prime if and only if the following conditions are satisfied. 

(i) ordpib) = ordn(b) for every b € B and p \ n. 

(ii) LCMbeeiordnib)) > y/E. 

Proof. Suppose n is prime. Condition (i) is then a tautology. We check condition 
(ii). The group {B)„ is cyclic, since n is prime. Therefore 

LCMbgB(ord„(&)) = #(S)„ > V(", (lnn)2) > 01, 

where the last inequality follows from theorem 12. II 

Assume now that conditions (i) and (ii) are satisfied. Let p — p- (n) . We then have 
ordp(&) — ord„(fo) for all 6 € 6 and thus 

LCM6ee(ordp(&)) = LCM6gB(ord„(6)) > V^. 

However LCMf,ge(ordp(&)) \ p — I. Consequently p > ^Jn\ hence n e P. □ 

Let 6 € Z* , p I n. Recall that ordp(6) < ord„(6) is equivalent to p \ b — I for 

some s I ord„(&). If (6 — 1, n) > I for some s \ ord„(&), then we will say that b 
is a Fermat- Euclid witness for n. Checking conditions (i) and (ii) therefore reduces 
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to factoring the orders of the elements of B, which can be done efficiently under our 
assumption on M. Taking M = n — I yields a deterministic polynomial time algo- 
rithm for deciding the primality of integers n such that n — 1 is smooth. Actually, a 
stronger test, in which only a part of n — 1 exceeding n2+^ (e > 0) is assumed to be 
smooth, was first discovered by Fiirer [12]. Konyagin and Pomerance [14] further 
reduced the exponent i + £ to e. The key point is that beside searching some other 
appropriately chosen "small" subset B of Z* for Fermat-Euclid witnesses for n, one 
can also check the cyclicity of {B)n- The authors verify this stringent condition by 
applying the classic Pohlig-Hellman technique of discrete logarithm computa- 
tion in a prime field. Here we will in a sense extend this technique for the purpose 
of splitting the integer n. 

Suppose for greater generality that B is any subset of Z* . We will describe below 
a deterministic algorithm that finds a generator of {B)n or, particularly in the case 
when {B)n is not cyclic, a nontrivial divisor of n. This algorithm runs in polyno- 
mial time if B consists of elements having smooth orders in Z* . By induction, it is 
sufficient to restrict our attention to the case #S = 2, say B — {a, b}. 
We assume temporarily that ord„(a) — s'", b'^ — 1 with s E P, v E N. Let 
n = ■ . . . ■ pj^ be the complete factorization of n. There exist an i, 1 < i < k, 
such that ordp=i(ai) = s". Since 6f = 1 and Z*ei is cyclic, we have a- = fe; 
for some uniquely determined, less than s", natural number I. Write I in base s: 
I — ^ IrS''. Set Z_i = and reason by induction. Assume we have computed 

0<r<v 

. . . , Im, where —1 < m < v ~2. Put c — ba -!<'■<"» . Then — a^^'^" 

Therefore c| — a^^^^^ . Denote (c^ —a-'* ,n)byc?j. We successively 

compute do, rfi, • • ■, until we get dj > 1 for some j < s — 1. This will happen, be- 
cause p^* I If moreover dj < n, then dj is a nontrivial factor of n. Otherwise, 

dj — n. In particular, cf = af'^ . Hence j = Im+i- Eventually, if m = u — 2, 

then di^^-^ = n implies b — a'' . More formally we use the ensuing algorithm. 

Pll{n,a,b,s,v,w) {a, be Z;,s e P,ord„(a) = s",ord„(6) = s""'} 

(1) li w > V then interchange a and b 

(2) For j = 1 to s — 1 compute a^'^ 

(3) Let c = 6 

(4) For m = -1 to 1) - 2 do 

(a) Let j = 

(b) While (c''""'""' - a^'^~\n) = 1 do j = j + 1 

(c) Let d = {c'^ ~ a^'^ ,n). If d ^ n then return d 

(d) Let c = cfl-J"'"^' 

Theorem 4.2. Let a,b e Z*,s e P, ordnia) — s", ordn{b) — s'^ . If the algorithm 
PH(n, a, b, s,v,w) does not find a nontrivial divisor of n, then (a, 6)„ is cyclic. This 
algorithm uses 0{{s + ulns)ii(lnn)^) operations, where u = max(w, w). 

Proof. The correctness of PH(7i, a, 6, s, w) follows from the preceding discussion. 
Step 2 requires 0{u{\nn)'^ In s-l-s(lnn)^) operations. The total number of operations 
used by step 4b in the loop 4 is 0(u^(lnri)^ Ins -I- us(lnrt)^). Step 4d takes on the 
whole in the loop 4, 0{u^ (In rt)^ In s) operations. Hence the stated running time. □ 
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Suppose now that B = {a, 6} with ord„(a) and ord„(6) arbitrary. Let A = 

A 

ord„(a), B = ord„(6). For s G P, set gs = a^""'-^' if Vs{A) > Vs{B), else gs = 

B A B 

. We foUow the procedures PH(7i, a^'"=(-*> ^ s,Vs{A),Vs{B)), s running 

through the set of primes dividing {A, B). The group (a, 5)„ is a direct sum of its 

A B 

s-primary parts (0=^='^' ,6="=*^' )„. Therefore, either a nontrivial factor of n will 
be found, or {a,b)n is cyclic, generated by J| gs- 

s\AB 

Corollary 4.3. Assume we are given a subset B ofL*^ and the complete factoriza- 
tion of all the integers ord„(&) for b Cz B. Then we can find a generator of {B)n or 
a nontrivial factor of n in 0{4I^B ■ (p + lnn)(lnn)'^) deterministic time, where p is 
the greatest prime dividing the order of at least two distinct 61, 62 G S (put p ~ if 
there is no such prime). 

Proof. Again, the correctness has been already discussed. We obtain the run-time 
bound by summing {s + Vs{ip(ri))liis)vs{^{n)){hLin)'^ over s \ (/'(n), s < p, and 
multiplying by ^B. □ 

Remark 4.4. The number p in the O symbol above could be replaced by y^lnp. To 
achieve this, one uses FFT techniques, well known from Pollard's [3T] or Strassen's 
|24j algorithms for factoring n in 0{n^~^^) deterministic time. The hardest part of 
the PH() algorithm is finding j, < j < s, such that dj > 1. The integer j is of the 
form j = jo + for some integers jo,ji, < jo,ji < \\/s~\. Let a' = a"" \ 

c' — c^ . We introduce the polynomial h — Y\ (c' — a'^" X) and compute 

o<io<rv^ 

/i(a'nrv^) for i-^ = 0, 1, ... , [V^l - 1- % theorem 4 of [55| it can be done in 
0(v^(ln s)'^(ln n)^) deterministic time. Next we find ji satisfying (/i(a'^i ), n) > 
1. Afterwards jo such that (c' — a'-"'+^^ rV*! ^ > i_ xhe computational cost of these 
last two steps is 0{-\/s{\nn)'^), thus negligible. 

Turning back to our main question, we propose the following deterministic algo- 
rithm for splitting n given an integer M as in the beginning of this section. 

Split(n, M, si, wi, . . . , St, wt) {M = s"i • . . . • Sj ' is the complete factorization of 
M} 

(1) For every b G B, compute modulo n, and: 

(a) If {b^ — 1, n) = 1 then report failure and stop 

(b) If {b^^ — l,n) < n then output this gcd and stop 

(2) Using the complete factorization of M, compute ord„(&) for each b £ B 

(3) For every b G B and each prime s \ ord„(6), compute {b ? — If 
one of these gcds is a nontrivial factor of n, then stop 

(4) Using the algorithm associated with coroUarv 14.31 check whether {B)n is 
cyclic. If a nontrivial divisor of n is found during these computations, then 
stop 

(5) State that n is prime 

Theorem 4.5. Let B = {2, 3, . . . , [(Inn)^]}, M ^ s^^ ■ . . . ■ s^' be the complete 
factorization of the integer M , sq = max{s | M : Vg|„ s \ g— 1}U{0}. Suppose that 
6*^ = l(n) for all b E B. Then the algorithm Split(n, M, si,vi, . . . , St,Vt) finds a 
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nontrivial divisor (or a proof of the primality) of n m O((so (In A/)(lnln Af ) + 

(lnn)^)(lnn)^) deterministic time. 

Proof. For the correctness assume that we have reached step 5 of the algorithm. 
Step 3 hiiphes that B contains no Fcrmat-Euchd witness for n and step 4 that {B)n 
is cychc. Therefore n is indeed prime in the Ught of the FeUows-Kobhtz primahty 
criterion. We proceed to the running time analysis. Step 1 requires 0((ln M)(lnn)'*) 
operations. Step 2 can be done in 0((ln M)(lnlnM)(lnn)'*) time (see [Tl] - the 

analysis of the runtime of algorithm 3.1). Step 3 costs 0( j^j^^ ) operations. When 
we get to step 4, the exponent of {B)n divides q — 1 for every prime factor q of n. By 
corollarv l4.3l the remaining computations thus take O((so +lnn)(lnn)^) time. □ 

There might be inputs n for which the runtime of Split(n, M, si,vi, . . . , St,vt) 
is not polynomial in Inn and InM, but it actually is if the integer sq defined in 
theorem 14.51 is small, say bounded by a polynomial B in Inn. This is obviously 
satisfied whenever n has a prime divisor p such that p — 1 is i3-smooth. 

Corollary 4.6 (deterministic version of Pollard's p — 1 algorithm). Let B >\nn. 

(i) Assume n has a prime divisor p such that p — 1 is B -smooth. Then we can 
find a nontrivial divisor (or a proof of the primality) of n in 0{B(hin)^) 
deterministic time. 

(ii) Suppose in addition that n has at most one prime divisor p such that p — 
1 is not B-smooth. Then we can obtain the complete factorization of n, 
together with a primality proof for each of the prime factors, in 0(i?(ln n)^) 
deterministic time. 

Proof. Put M = W ql^'\ in theorem l4.5l Part (i) follows, since In Af = O(j^^lnn) 

q<B 

and In InM = 0(\\iB). For part (ii), simply consider the iteration of the algorithm 
corresponding to part (i), combined with the Lenstra-Pomerance variant of the 
AKS primality test [18], which runs in 0((lnn)®(lnlnn)^) deterministic time for 
some constant c. □ 



Let us briefly compare the running times of the original Pollard p — 1 algorithm 
with the new version. The original algorithm finds a nontrivial divisor of n in 
0( j^^(lnn)'^) random time under the assumption of corollary 14.61 fi). Our deter- 
ministic version is slower (though not as much as we would expect) and thus rather 
of theoretical than practical interest. 

Of course, the obtained running time bound of Split(n, M, si, di, . . . , St, Vt) is poly- 
nomial in In n and In M for more inputs n than those considered in corollary 14.61 
with B a polynomial in Inn. Let D(n,u) = max #{p | n : q \ p ~ 1}, u > 0. 

q>{\n n)" 

We should expect that the integers n for which D{n, u) > 1 (with u fixed) are rare. 
This is in fact true. We prove slightly more than needed to motivate the ideas of 
section [71 

Theorem 4.7. Let I G N. The number B{x,u,l) of integers n < x such that 
D(n,u) > I is bounded above by cx — (in^yu — ) where the constant c does not 
depend upon u. 
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Proof. We have: 

Bix,uj)<v^+ El^^^+E E El 

^<n<x q>(lnn)" Pi<...<p; + i g>2-"(ln2;)" y^<n<x Pi<---<Pi + i 

Pi\n Pi\n 
Pi = l(<z) Pi = l(9) 



E E 1= E — - — E 

n<a;Pi<...<Pi + i pi < . . .<Pi + i <a; t" j pi <. . .<p,_|_i<a; 

Pil" Pi = l(9) P> = 1(9) 

Pi = l(9) 

^ _ '+^^ci:r(lnln2;y+i 



1 



Pi ■ ■ ■ • -Pi+i 



p=Hq) 

where the last inequaUty follows from the uniform bound 



E - 

p<. p ^('^) 

p=i{d) 



< — ^ In In X 



(use summation by parts and apply the Brun-Titchmarsh inequality). Hence 
E E E l<c,.(lnln.r^ TTtW 

q>2-"(lnx)" ^<n<xPi<---<Pi + i g>2-"(lnx)" ' 

Pi\n 
P^ = ^q) 

2'"(lnlna;)'+i 

Thus 

2'"(lnlna;)'+i 



B{x, u, I) < C3X- 



(Inx) 



lu 



□ 



5. Generalization to the p + 1 and other cyclotomic methods 



Williams designed a method of factoring analogous to Pollard's p ~ 1 algo- 
rithm, the p + 1 method. It splits in random polynomial time integers n having a 
prime divisor p such that p + 1 is smooth. Traditionally, it is described in terms 
of Lucas sequences, but the analogy with the p — 1 method becomes clear if one 
works, modulo n, in some quadratic extension of Z, as we will do. This section is 
mainly devoted to the proof of 

Theorem 5.1. Let n and m be odd, coprime integers, n > 2, m squarefree. Let 
B > Inn. Suppose that n has a prime factor p such that p + 1 is B-smooth and 
= —1. Then we can find a nontrivial divisor (or a proof of the primality) of 

n in Oc.m{B{h\nY^^^) deterministic time, where h is the class number of ^^{y/rn) 
and c is any constant greater than 4. 

The obtained derandomization of the p + 1 algorithm is only partial, because 
of the requirement = —1, m being fixed. We should therefore talk about 

deterministic p + 1 methods (for varying to) instead of one deterministic p + 1 
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algorithm. We need some auxiliary results in the spirit of [27], the extension of the 
Pohlig-Hellman algorithm for the group Z„[^/m]* to begin with. 

Theorem 5.2. Suppose that ni mod p is a quadratic nonresidue for some prime 
p dividing n. Let a subset B ofZnly/rn]* and the complete factorization of all the 
integers ordn^„i{b) for b € B be given. Then a generator of {B)n,m or a nontrivial 
factor of n can be computed in OmiffB- {q + hin){hin)^) deterministic time, where 
q is the greatest prime dividing the order of at least two distinct fei , 62 G B ( set 
q = if there is no such prime). 

Proof. As in corollary 14.31 the argument reduces to the case of S = {a, b} with 
ord„^m(a) and ord„.m(6) equal to the powers of some prime s, say ord„^m(a) = s", 
ord„^m(6) = s"", V > w. Let a" = ai + a2\/m. We can also assume that 
ordp,„i(a) = s", for otherwise (a\ — or (0,2, ri) would be a nontrivial divisor 
of n. The rest of the proof follows the lines of section IH since ^^[^/to]* is, by 
assumption, isomorphic to F*2, hence cyclic. □ 

We introduce the standard integral basis of the ring of integers in Q(-yTO), letting 
y = ^Jrn if TO = 2, 3(4), and y — ^"^^^ if to = 1(4). The next theorem is well known 
in the context of solving generalized Pell equations (norm equations in 

Theorem 5.3. There is an effective, positive constant C\ depending upon m and 
having the following property. For any nonzero a € there exists b G '^[y], 

b — bi + 62?/, such that ^ G and \bi\ < ciy/\N[a)\, where N{a) is the norm of 

a and i — 1,2. 

Finally, we formulate some kind of analogue of theorem 12. II for the ring 1^[y]. 

Theorem 5.4. Let n be odd, n > 2. Also, let c > 1. Adopting the above notation, 
define 

A = {ai+a2y: |ai| < ci(lnn)'^ , 1 < i < 2}, 

S = {v ■ ai ■ . . . ■ at : w G Z[y]*,t e N,a, e A,l < i < t}, 

and TTn ■ — s- Zniy/m] as the obvious projection. Then #7r,i(iS) > + 1 

for any e > and n > uq, uq = no(m, c, s). 

Proof. This is in fact a special case of lemma 3.5 from [37]. □ 

Let /„ be the endomorphism 

ai + a-i^fm ^ (oi - a2\An)(ai + a^^fm)"^ 

of Z„[-ym]*. Let Z^/ be a set of generators of the group of units Z[y]*, f\U < 2 {U 
could be written explicitly), and let 

Bn=TTn{UUA)\{0}. 

The algorithm below is a deterministic version of the p + 1 factorization method. 
We justify the correctness in the proof of theorem 15. II 

Split2(n, c, TO, M, si,vi, . . . , st,vt) {c > 4, AI — ■ . . . ■ Sj* is the complete factor- 
ization of M } 

(1) If n is a nontrivial power d'^ then output d and stop 

(2) Let no be as in theorem 15.41 with £ = 5 — f • If " has a prime factor below 
TiQ then output such one and stop 
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(3) For each a £ A, compute N{a), let 7r„(a) = ai + a2\/m, and: 

(a) If 1 < (-/V(a), n) < n then output {N{a)^ n) and stop 

(b) If n I N(a) then: 

(i) If (ai,n) = 1 or (a2,n) — 1 then output failure and stop 

(ii) If (fli, n) < n then output this gcd and stop. Do the same with 
(a2,n) 

(4) For every h G compute 6^^, h^^ ~hi + h2-/m, and: 

(a) If (6i — l,7i) = 1 or {b2,rL) = 1 then report failure and stop 

(b) If {bi — l,rt) < n then output this gcd and stop. Do the same with 

(5) Using the complete factorization of A/, compute ord„,„(6) for each h e 

fn{Bn) 

ord„,„(6) 

(6) For every h £ fn{l3n) and each prime s \ ord„^m(fe), compute b s ^ 

ord„,„, (b) 

b ^ = bi + b2^/rn, and the gcds (6i — 1, n), (62, If one of these gcds 
is a nontrivial factor of n then stop 

(7) Using the algorithm associated with theorem l5.2[ check whether {fn{l3n))n.m 
is cyclic. If a nontrivial divisor of n is found during these computations, 
then stop 

(8) State that n is prime 

r in(Ti + l) 1 

Proof of theorem[5l[ Set M H gl--nr^J. First, we have to show that under 

q<B 

our assumptions the algorithm will not report any failure. This could happen only 
in step 3b(i) or 4a. Let n \ N(a) in step 3b. Then, in particular, p \ N{a) and 
thus the element TTp{a) is not invertible. Moreover, Zp[-\/m] is isomorphic to the 

field Fp2, since — —1. We conclude that iTp^a) must be zero, that is to say, 

p I ai and p \ a2. Consequently, the algorithm cannot terminate in step 3b(i). Now 
let b G fn{Sn) in step 4. From step 3, Bn C Zn[y/m\* , so b is correctly defined. 
The conjugation modulo p is easily seen to be nothing but the Frobenius map. The 
endomorphism fp thus raises the elements of Zp[y/Tri\* to the power of p — 1. As M 
is a multiple of p + 1, it follows that fe*^ modulo p must be equal to 1. Therefore 
no failure can be reported in step 4a. 

Second, we should prove that n is prime when step 8 is reached. Let us assume 
the contrary and seek a contradiction. Denote by q the least prime factor of n, and 
by n' the squarefree part of n. Define A as LCMbg^^,(g^,)Ord„'_m(&)- From step 
6, we have A = LCMbg/g(Bjordg,m(6). By step 7, {fn{Bn))n,m is cyclic; so are its 
homomorphic images (/„'(S„' and Thus 

#(/„'(S„')>n'.„ =A= 

Hence 

#(/„'(S„'))n',™ 

Furthermore, 4j={fn'{Bn'))n',m > # kc'r / T • From step 2, v! > uq, which by the- 
orem [53] yields #(S„')„'.m > n'^. We will evaluate #ker/„'. Let s be a prime 
dividing n' . If (^) = — 1, then we already know that #ker/s = s — 1. In the 
case when (^) = 1, it is not hard to show that fs acts like the endomorphism 
(a, 5) 1-^ {ba^^ ,ab^^) of Z* © Z*, and therefore #ker/s — s — 1. Consequently, 
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#ker/„' = Yl #ker/s !)■ Combining all the above, we get 

s\n' s\n' 

3 

#(/n'(S„0)n',™ > #fMV^r) ■ 1! ■ iq-'n')i. 

#fq{^q[Vm\*) • #ker/5 

By the isomorphism theorem, ^fq{Zq[y^rn\*) ■ #ker/g = ^Zq[y/m]* , which is less 
than q^. From step I, q < n'2 . Hence 

#{fn'{Bn'))n',m > #/,(Z,[V^*) • q~'n'^ > #/, (Z, [ V^] * ) . 

This contradicts the previously obtained inequality #(/„' {Bn'))n',m < fqC^qiV^]* 
The running time analysis is similar to that of algorithm Split; the role of the "base 
set" B is played here by fn{Bn), whose cardinality is Om((lnn)^''). □ 

Pollard's p — 1 and William's p + 1 algorithms are part of a family of factor- 
ing algorithms called the cyclotomic methods. These were introduced by Bach 
and Shallit 0, who proved, conditionally on the generalized Riemann hypothesis 
(GRH), the following. Let be the fc-th cyclotomic polynomial. An integer n 
can be split in random polynomial time whenever (p) is smooth for some prime 
p dividing n, and integer k polynomial in the size of n. If we fix k and strengthen 
(reasonably, of course) the condition on p, it will eventually appear that neither 
GRH nor randomness are necessary. 

Theorem 5.5. Let F be a monic, irreducible polynomial of degree k in 1\X\, 
k > 2, such that the extension K of Q, obtained by adjoining a root 9 of F, is 
cyclic. Let m \ k, m > 2, and B >lnn. Assume that n is divisible by a prime p 
with the property that $m(p) is B-smooth and F modulo p is irreducible in TLp\X\. 
Then a nontrivial factor (or a proof of the primality) of n can be computed in 
Oc.e{B{\nnY'^~^^) deterministic time, where h is the class number of K and c is 
any constant greater than 2k. 

In the proof we will adopt two more pieces of notation. We will write Ok for 
the ring of integers of K. Furthermore, let G be a group (written multiplicatively), 
a e G, rj : G ^ G, V = J^^tX' G Z[X]. The expression V{r]){a) will stand for 
Y[ rj^ (a"' ) , rf being the i-th iteration of r/ [rf the identity) . 

Proof. There is no loss of generality in supposing that n is coprime to the discrim- 
inant of F. The rings Ok/Itt-) and Z„[0] are then isomorphic; we identify them for 
convenience. The Galois group of K over Q consists of, say, ■i/'i, . . . , V'fe- Denote by 
ijji,n the automorphism of Z„ [9] induced by ipi ■ Let be the endomorphism 

n *'(V'i:.n)(a) 

l\k, l^m 

of Z„ [9] * . The prime p remains prime in Ok let ipj be the Frobenius over (p) . Then 

p''-! r „ In „ 1 

fj^p acts like F*fc 3 a a*™'?' G F*^. Consequently, setting M = J] gL in, J 

^ q<B 
yields fj,p{a)^^ — 1 for any a E Zp[9]* . Up to now, we followed However, in 
order to compute deterministically a nontrivial factorization of n, we define a "base 
set" of the form fj^niBn). We do not know j a priori, but in practice we can work in 
turn with each endomorphism i = 1, . . . , fc. An integral basis uj = (lui, . . . , ujk) 
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of Ok and a finite set U of generators for O}^ should be constructed independently 
of n, in a precomputation phase. Consider 

ch 

A = {oicji + . . . + akUJk '■ < ci(lnn)~, 1 < i < k}, 

where Ci is the constant C3 from theorem 3.4 of [27 . Let 7r„ be the projection 
Ofc Z„ [9] . Similarly to the proof of theorem 15.11 we can assume that 7r„ {U U 
A) \ {0} C Z„[6I]* and put i3„ = 7r„(Zi U ^) \ {0}. Again, let q = p_(n) and let n' 
be the squarefree part of n. Here also we can force fj.n{Bn)^^ = {1} and further 

This would follow from appropriate generalizations of steps 4-7 of algorithm Split2. 
Still, the extension of theorem 15.41 to Ok gives 



#ker n #^(^T^fj,s 

s\n' 

if e > and n' exceeds some constant uq independent of n. We have finally reached 
the interesting part of the proof, which is bounding ^]iev fj,s for s a prime factor 
of n. There are two cases to treat: 



(i) s stays prime in Oki 

(ii) s splits in Ok'- {s) = Si ■ . . . ■ Se, where the Si are distinct primes of degree 
d, d = ^, e > 2. 

Before we do this, note that V'j has order k (because tpj^p has order k). Suppose 
that (i) holds. The automorphism ■(/'j generates the Galois group of K over Q, 
isomorphic by reduction modulo s to the Galois group of Ok/{s) over Fj, and 
so V'i.s is raising to the power of for some r relatively prime to fc, r < k. 

n 

Therefore /j.s acts as F*fc 3 a ^ a''*"' G F*^. It is easy to show that 

n = n ri'J'ti- This product is coprime to <&,„, since m | k. 

l\k, l^m l\k. l^rn t\r 

We apply Bezout's identity for polynomials to see that ($m(s), Yl is 

l\k, l^m 

bounded by a constant C2 depending solely on k. Hence 

#kcr/,,, = n < < C3S^-\ 

where C3 also depends only upon k. 

Now assume that s satisfies (ii). We want to bound the number of solutions 
(ai,...,ae) e {Ok / Si)* (B . . .® {Ok / Se)* to the equation /j,5(ai, Oe) = 1. The 
automorphism acts on the set {S*!, . . . , ^e} as a cyclic permutation. In particu- 
lar, Tpj generates the decomposition group of Si, which is known to be isomorphic 
(by reduction modulo Si) to the Galois group of Ok /Si over F^. Consequently, 
there is an r coprime to d, such that ipj{o-) + Si = a'' + Si for every a G Ok- 

-1+ Yl 

Thus fj_s{0'i, - - - ,o,e) + Si is of the form ba^ o<z_d 1 ^ with b independent of 
ai, and Uj integers depending just on k and m. The —1 in the exponent of oi 
corresponds actually to the free term of Yl {^n > 2). Since {r,d) = 1, we 

l\k, l^m 
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— 1+ Yl fiS"" —1+ Yl ^i^^ 

have tti '~ = ai '~ , where the vt are a permutation of the m. 

In the field Ok /Si there are at most | — 1 + ViS^\ solutions to the equation 

Q<i<d-1 

-1+ E f.s' 
btti ^ =lof unknown ai. Therefore 

#ker/,-, <(s'*-l)'=-i.|-l+ J2 '^^s1<C4s'^' 

0<i<!i-l 

for a constant C4 depending only upon k. 

Proceeding along the same lines as the proof of theorem 15.11 we get, if e > and 
> uq, the inequality 

where the (positive) constant C5 depends solely on k. Take e ~ j ^ j^- Since 
#(/j".n'(Sn'))z„,[0]' !i conclude that n is divisible by a prime less 

4c 

than max(no! Cg*" or n is a prime power. □ 

Remark 5.6. According to Frobenius' theorem, if F is as in theorem 15.51 then the 
set of primes p, such that F modulo p is irreducible in Zp[X], has density 
This set consists in fact of primes lying in residue classes, which can be explicitly 
determined. It suffices to express the root 6* of as an element of a cyclotomic 
field (here we appeal to the Kronecker- Weber theorem) and examine the order of 
the Frobenius automorphism in Zp[0] (for p not dividing the discriminant of F). As 
an example, F — — 3X + 1 (a correct choice) is irreducible in 1^p[X] if and only 
ii p = ±2 (9) or p= ±4 (9). We could thus reformulate theorem 15.51 in completely 
elementary terms for specific polynomials F. We highly recommend that the reader 
interested in the theoretical setting of cyclotomic factoring algorithms, and willing 
to compare in detail our result with the classic method of Bach and Shallit, consult 

6. Some known reductions of factoring to computing ip 

Taking M — (p{n) in theorem 13. II we get the following classical result. 

Theorem 6.1 (Rabin). Given ip{n) we can completely factor n in 0((lnn)'*) ex- 
pected time. 

For reasons already explained at the end of section [31 substituting M — (p{n) 
also gives 

Theorem 6.2 (Miller). If the ERH holds, then given ip{n) we can completely factor 
n in 0((lnn)^) deterministic time. 

Define G{n) as the least integer m such that Z* is generated by integers less 
than or equal to m and coprime to n. In [8], Burthe proved that ^ J2 ^(^) — 

0((lna;)^^). In particular, G{n) < (lnn)^^+'^ for almost all integers n. Now re- 
call that any nonprincipal character modulo n takes a value different from 1 for 
an integer less than or equal to G(n). It follows by a similar argument to the one 
used after theorem 13. 21 that given (p{n) we can completely factor n in 0((lnn)^''^+^) 
deterministic time for almost all n. 
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While it is an open problem whether factoring unconditionally reduces in deter- 
ministic polynomial time to computing Euler's Lp function, for some integers such a 
reduction is particularly easy. The simplest nontrivial examples are integers n with 
exactly two prime factors. Suppose first that n = pq. Then p + q = n — ip{n) + 1. 
Given ip{n) we compute the right-hand side of this equality and find p and q by 
solving a quadratic equation. Now turn to the general case n = p"q^ , say p < q. 
If p I g - 1, then = pq and j^^^ = [p - - 1) = v{pq); thus the 

previous method applies. If p | g — 1, then ^{n)) ~ 1 therefore q, (3, a,p will 
be obtained one after the other. 

Landau [15j showed that computing the equal order factorization of any integer 
n, that is, the sequence rii :— W P (* > 1), can be done in deterministic 

p: Vp{n)=i 

polynomial time given a "(/?-oracle" (this oracle finds instantly the values of Euler's 
ip function for 0(lnn)-bit inputs). In fact, if a;(n) > 3, then 0(ri(ri) (In n)^) bit 
operations and at most uj{n) — 2 oracle calls (including (pin)) are needed. Notice 
that if uj{ni) < 2 for all i, then the additional calls (p{ni) will lead to the complete 
factorization of n. For instance every integer n = p°'q^s'' , where p, q, s are distinct 
primes and a,(3,j integers not all equal, can be, given (p{n), completely factored 
in 0((lnn)'^) deterministic time. 

7. Some subsets of the graph of cp recognizable in deterministic 

POLYNOMIAL TIME 

In section |4] we have described in simple, arithmetic terms a set of integers of 
density 1 in N (the set {n : D{n,u) < 1} with u fixed) whose elements n are 
all factorable in deterministic polynomial time if ip{n) is given in a fully factored 
form. The ideas presented there are extended here to get a much more concrete 
result: exhibit a possibly large set of integers n that are factorable in deterministic 
polynomial time given ip{n) and only a part of its factorization, which in turn can 
be obtained in polynomial time with the deterministic Pollard p — 1 method. 
Let B and S be positive real numbers. First define the following subsets of P. 

• T's is the set of primes q such that p — 1 is i?-smooth for every prime p 
dividing q — I. 

• Qb,s is the set of primes q such that the _B-smooth part of q — 1 is not less 
than q^ . 

Now consider, for k an integer, u,6,r] positive real numbers, S < 1, rj < 1, the set 
■N'k,u,s,ri of integers that can be written in the form n = 7^lr^2?^3, where the rii are 
pairwise coprime, and: 

(1) ni has exactly k distinct prime factors, all belonging to 7^(inn)"- 

(2) n2 is a product of primes from Q(inn)",5- 

(3) has at most two distinct prime factors. Furthermore, if cj(ri3) = 2 and 
n2 ^ 1, then p-in^) > ^-(ns)''. 

We will prove 

Theorem 7.1. Let Mk,u,s,ri be as above. Given the pair (n, ip{n)), with n G Mk,u.s,ri, 
we can completely factor n in 0((lnn)'^) deterministic time for some constant C 
depending only on k,u,S,r]. In particular, the set {{n,ip{n)) : n g J^k.u.s.r]} is 
recognizable in deterministic polynomial time (k,u,d,ri being fixed). 
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We prepare the proof with some lemmas, keeping the notation of the theorem 
and assuming, without loss of generality, that p-{n) > (Inn)™^''^^'"^' -'. 

Lemma 7.2. Let d be a factor of n, M the {hi ny" -smooth part of ip{n), B = 
{2, 3, . . . , [(Inc?)?]} and Q = Sts^ modulo d. Assume that d is divisible by two 
distinct primes qi, q2 from Q(\nn)",S- Then Q contains a Fermat-Euclid witness for 
d or {Q)d is not cyclic. 

Proof. Without loss of generality we let qi < 52- Suppose, on the contrary, that 
there is no Fermat-Euclid witness for d among the elements of Q and that {Q)d 
is cyclic. Then {Q)q^q2 is also cyclic, as a homomorphic image of {Q)d, and so 
#{G)qiq2 = LCMggeord^.q^Cg). Moreover, 

LCMgegordgiq2(.g) = LCMgggordrf(g) = LCMgggord^i (g). 

Therefore 4t^{G)qiq2 divides [qi — 1,M), which equals, say Mi. We will show that 
if{G)qiq2 > Ml to derive a contradiction. Denote by h the endomorphism raising 
every element of Z*^^^ to the power of We have {G)qiq2 ~ h{{B)q^q2); hence 

#{5)q,q2 > %ZTh ■ The numerator > V(<7ig2, (lnqi<?2)^) > (gi92)^-i 

The denominator #ker/i = (qi - 1, ^)(g2 - 1, ^T^) = -^71^^, where we let 
M2 = {q2 - 1,M). Also, q2 e Q(inn)",5 and 52 > qi, thus M2 > > ('7i'?2)^- 
Putting all together gives ff{G)qiq2 > ^^i-^^2 (^^^ifj|^jriy > Mi, as required. □ 

Lemma 7.3. Let d be a factor of n, M the (Inn)" -smooth part of ip{n), B' = 

2+T7 y(7i) 
{2, 3, . . . , [(Ind) ^1 ]} and Q' = B' modulo d. Suppose that d is divisible by two 

distinct primes p and q, q € Q(inn)^,S' 1 > p''- Then Q' contains a Fermat-Euclid 

witness for d or {G')d is not cyclic. 

Proof. Suppose that neither element of Q' is a Fermat-Euclid witness for d. We 
are to explain why then {G')d cannot be cyclic. Let A = LCMggg/ordp((7). By 
assumption, A also equals LCMggg/ordg((7), which is ^{Q')q. Write Mi for the 
(lnn)"-smooth part of q — 1. Similarly to the proof of lemma 17721 we obtain 

#{g')q>Mii^>q^. 

q-l 

25 '25r^ 

Therefore A > q^+^ > p^+i . Since A divides [p — 1,M), it follows that p G 
Q(in„)",|^- Furthermore, q E Q(inn)",<5 C Q(i„„),, ■ Replacing (5 by in 
lemma [7?2l we conclude that {G')d is not cyclic. □ 

Lemma 7.4. Let d be a factor of n, M' = J|p'"p ('''(")) ^ where the product ranges 
over the primes p such that p — 1 is {In n)'^ -smooth, B" = {2, 3, . . . , [(Ind)'^^'^]}. 
Assume that d has a prime divisor q e P(inn)" (^^id that uj{d) <k-\-2. Then one of 
the following conditions holds. 

(i) 1 < (6*^' -l,d) <dfor some b & B" . 

(ii) 6*^ = l{d) for all b € B" and B" contains a Fermat-Euclid witness for d. 

(iii) 6*^ = l(c?) for every b G B" and, setting A — LCMh^i^/i ordd{b), we have 
p^{d) = 1(A), A > d", with a > ^ - 
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Proof. The definitions of M' and q imply that (? — 1 | M'. Consequently, fe*^ = l{q) 

for any b £ B" . We shall therefore suppose that h^^ = \{d) for every h £ B" , 

that there is no Fermat-Euclid witness for d in B" , and verify the properties of 

A. Under the latter assumption, A \ p — 1 for all primes p dividing d, for P-{d) 

in particular. That forces {A,d) — 1 and so {^{B")d,d) = 1. Hence {B")d < 

®Cp_i < Z^. Therefore {B")d contains, for each prime factor q of A, at most 
p\d 

u{d) linearly independent elements of order dividing q^<i(^) ^ n follows that v4'^('^) > 
#{B")d- Thus A > tP{d, (lnd)'=+3)^ > d", where a = ^(1 - ^). Checking 
that a > -^jj^ — ^^j^y2 is straightforward. □ 

Lemma 7.5 (Coppersmith et al.). Assume we are given integers h > v > and 
reals a, (3, 7 satisfying 0<a<l,0</3<7<l — a, v(v + 1) + ^h(h — 1) — 2{a + 
(3)vh < 0. If d is larger than some effectively computable constant, then all the 
divisors of d of the form sx + r, where 0<r<s<d, s> d", (r, s) — (s, d) — 1, 
d^ < X < d'^ , can be found in deterministic polynomial time in v, h, Ind. 

Lemma 7.6. Let r, s, d, I be integers and a a real number. Suppose that < r < 
s < d, s > d", (f", s) — {s,d) — 1, a > J — ^ and d is sufficiently large. Then all 
the divisors of d of the form sx + r and less than dT can be found in 0^{{lnd)^) 
deterministic time, where e ~ a — j + p- . 

Proof. This is achieved by partitioning the range of x, into intervals to 

which lemma 17.51 can be applied. We refer the reader to [10] for the details of 
the algorithm. For the running time, just follow closely the proof of lemma 17.51 
therein. □ 

Proof of theorem \7.1\ We describe an algorithm to compute the complete factor- 
ization of n. 

(1) Let Li = {n}, L2 = 

(2) Use the AKS primality test to check whether Li consists exclusively of 
prime numbers. If so or Li = then: 

(a) If L2 = then output n = Y[ p"''^"-' as the complete factorization of 

peLi 

n and stop 

(b) If > 1 then report failure and stop. In the contrary case, try 
to factor the only element m of L2 into a product of two primes, 
TO — p^q^ , assuming that ip{m) = j-j gv!f(L"-i(^_i) ■ If this works then 

output n ~ p°'q^ Y[ s^^*-"-* as the complete factorization of n and 

stop. Otherwise report failure and stop 

(3) Choose d£ Li\P 

(4) If d is a prime power p" then replace d hy p in Li. Return to step 2 

(5) Attempt to split d by means of the factoring algorithms corresponding 
evidently to lemmas 17. 2[ 17. 3[ 17.41 and 17.61 If this produces a nontrivial 
factorization d = did2 then further apply a factor refinement procedure 
(cf. [4]) to get a nontrivial factorization d = d'id'2 with [d'^^d^) = 1. Also, 
remove d from Li, adjoin d'l, d'2 to Li, and return to step 2 

(6) Remove d from Li and adjoin it to L2. Return to step 2 



A DETERMINISTIC VERSION OF POLLARD'S p - 1 ALGORITHM 



17 



The algorithm obviously terminates. All we need to show is that when it does, 
i2 = or i2 = {fTi}, with Lo{m) ~ 2. Let d be an integer chosen in step 3 of the 
algorithm, d not equal to a prime power. Then d must have one of the following 
forms: 

(i) d divisible by two distinct primes from Q(inn)",5 

(ii) d divisible by a prime from 'P(inn)", at most one prime from Q(inn)^,s and 
at most one prime factor of na 

(iii) d divisible by a prime q from Q(inn)",s and the prime ^^(na), uiins) = 2 

(iv) d =p-p(")g".(«), where q S Q(i„„).,5, P = P+("3), ^(^^3) = 2 

(v) d = ns, a;(n3) = 2 

(vi) d = n3g"''("\ where q e Q(in„)",5, ^(713) = 1 

The integer d will be split in deterministic polynomial time: 

• In case (i) by lemma [TjH 

• In case (ii) by lemmas [7.41 and ITTHl since then uj{d) < k + 2. 

• In case (iii) by lemma [7731 because then q > p-{n^)'^ . 

Clearly, d can be adjoined to L2 only in cases (iv)-(vi), and if it is, no other element 
wiU. □ 

Remarks. In part 1 of the definition of Afk.u.s.rj, assuming that the prime factors 
of ni belong to 7^(inn)" is assuming that the part of f{n), which can be completely 
factored in deterministic polynomial time with the p — 1 method, is a multiple of 
{q — 1). This assumption could be slightly relaxed by considering other de- 

q\ni 

terministic factoring methods, such as the p + 1 methods of section [S] Also, the 
condition uj{ni) — k could be replaced by the weaker: if qi, . . . ,qk+i are fc + 1 
distinct primes dividing rii, then the gcd of gi — 1, . . . , qu+i — 1, is (lnn)''-smooth. 

Primality testing is a special case of the problem of testing for membership in 
{(n, (/3(n)) : n £ Nk,u,5,ri\ or, more generally, in {(n, (^(n)) : n £ N}. Indeed, the 
set of primes can be identified with the subset {(n, n — 1) : n e P} of the graph 
of Lp. Before primality was known to be decidable in deterministic polynomial time 
[2], Konyagin and Pomerance [Mj showed that for any fixed, positive u and 5, the 
set {q : q £ Q{inq)^,s} is recognizable in deterministic polynomial time. Some of 
their ideas are used in this article, but in a more synthetic way. 

To conclude this section, we shall state without proof a result similar to theo- 
rem [7T] for the sum of divisors function a (for a random polynomial time reduction 
of factoring to computing tr cf. [4j). Let 7?. be a finite subset of Z, and let TZ' be 

the set of primes q such that ( — ) = — 1 for some m £ TZ. Moreover, let 



• 'Ptz.b be the subset of TZ' of such primes q that for each prime p dividing 



p — 1 is S-smooth or 
p + 1 is B-sniooth and p £ TZ' 
• Qn,B.s be the subset of TZ' of such primes q that the _B-smooth part of g-l- 1 



To define Miz,k,u,s,ri, replace in the definition of Nk,u,5,ri the set 7^(inii)" by 
'Pn,[\nnYi the set Q(i„„)«,5 by Qn,{\unY,&, and add a fourth condition: 




(j+1: 



is not less than q^ 
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(4) Vq{nin2) is odd for all primes q dividing nin2 
Then the following analogue of theorem 1 7 . II holds . 

Theorem 7.7. Given the pair {n,a{n)), with n G MK,k,u.5,ri, the complete factor- 
ization of n can be computed in 0{{lnn)'~^ ) deterministic time, where C is some 
constant depending only upon TZ, k, u, 6, rj. In particular, membership in 
{{n,a{n)) : n G J^n,k,u,s,ri} is decidable in deterministic polynomial time (for 
TZ, k, u, S, rj fixed and TZ finite). 

8. A SUBEXPONENTIAL REDUCTION OF FACTORING TO COMPUTING ip 

We shall abbreviate any expression of the form exp^(lna;)°(ln lna;)^^°^ as L{x, a). 
In this section we will first prove 

Theorem 8.1. Suppose that (p{n) is given in a completely factored form. Then the 
complete factorization of n can be found in less than L{n, ^y^°^^^ deterministic 
time. 

Then deduce 

Corollary 8.2. Let k = min{Z £ N : if^{n) = 1}. There is a deterministic 
algorithm that, given the sequence {n, (p{n), if'^{n), . . . , ip^in)), outputs the complete 
factorization of n in less than L{n, time. 

Proof. Let 1 < m < k. Once we have found the complete factorization of Lp"^{n), 
we can compute, from theorem 18.11 the complete factorization of in less 

than L(n, deterministic time. Since ip^{n) = 1 and k < 1 + log2 n, the 

corollary follows by induction. □ 

In the proof of theorem lS.ll we will exhibit a procedure that factors n recursively, 
that is, splits any previously computed, reducible divisor d of n further. Let p = 
P-{d). Additionally, let a, (3, 7 be real numbers from the interval (0, 1), parameters 
to be optimally chosen. Assume that p > L{d, 1 — a). Define S as {2, 3, ... , [L{d, 1 — 
a)]}, and denote LCMbge(ordd(&)) by A. 

Lemma 8.3. Let (1 — /3)(1 — 7) < 1 — a. Suppose that B contains no Fermat- 
Euclid witness for d and that uj{d) >( ^^1^^ )^. Then p = mA + 1 for some integer 
m < L{d, (1 — P)^) if p is sufficiently large. 

Proof. We have 

L{p, 1 - 7) < exp((^ Ind)i-^(lnlnd)'') < L{d, (1 - /3)(1 - 7)) < L{d, 1 - a), 

where the last inequality holds if d is large enough. Assume that d is indeed such. As 
B contains no Fermat-Euclid witness for d, it follows that A = LCMbgg(ordp(6)). 
Consequently, A = f^{B)p > ip{p,L{p,l — 7)). By theorem 12.21 we obtain A > 
pL{p,j)^^ if p is sufficiently large. We can write p ~ mA + 1 for some m G N, 
because A \ p ~ 1. Therefore mA < p < AL{p, 7). Hence 

m < L{p,-i) < expf(^lnd)''(lnlnd)i-'^') < L{d, {1 - I3)j). 
V uj[d) J 

□ 
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Lemma 8.4. Let (3 < 1 — /? > a. Assume that there is no Fermat-Euclid witness 
for d in B and that Lu{d) < ( i^^^ ) ^ ■ Then > di^^^^^'^^^j) d is sufficiently 

large. 

Proof. Just as in the proof of lcmma[73 we haveA'^^'*) > > i;{d,L{d,l-a)). 

Hence > il;{d,L{d, l-a)) •^<'') . Let -1 < e < -a. It follows from theorem 

that > d^^^L{d, a)^^^^^^ if d is large enough. It is sufficient to show 



that d^L{d,aY^^^^ > ([^"^^ja]) ^^^^'^ ^- ™s is clear when e^^^^^ < -1, 
because then uj{d) is bounded from above. Suppose therefore that g "[f(^^"^"'" > — 1- 
For sufficiently large d we get 



d~L{d, af^^ > L{d, 1 - /3)L(d, af^^ > L{d, 1 - 

Ind \/3. 



> exp((j^^) In 2) > exp(c^(d)ln2) = 2"^'^) 
uj{d) 



> 



ijj 



(d)/2] 



□ 



The case fc = 3 of the ensuing lemma was proved in fl4' . 

Lemma 8.5. Let d ~ p^^ ■ . . . ■ pjf" . Assume A divides pi — 1 for i = 1, . . . , fc; 

Pi = biA + 1. Suppose in addition that A'^^^ > ([;.y2])'^' Write d in base A: d = 
l+aiA+...+akA''. Let g = 1 + aiX + . . .+akX'' . Then g ^ {biX+1)- . . .-{bkX+l) 
in1j\X\. Furthermore, this factorization can be obtained with the Hensel-Berlekamp 
algorithm in 0((ln(i)^(lnlnrf)^) deterministic time. 

Proof We have d = pl^ ■ . . . ■ pl^ = {biA + 1)"^ ■ {bkA + l)"" . Since > d, 

it follows that ei = . . . = = 1. Hence 

fc 

l + aiA+... + OkA^ = [biA + 1) • . . . • [bkA + 1) = 1 + X! ^k,j{bi, bk)A^ , 
where cr^j (61, . . . , 6^) = • . . . • 6^^. . It is therefore sufficient to show 

l<ii<...<ij<k 

that < (Tk.j{bi, . . . ,bk) < A for every j, 1 < j < k. By assumption, A''^^ > 
{^^'j^-^)d andthus bi- . . .■bk{[^^/2])d < bi- . . .■bkA''+^ < dA. Hence 61 •.. .•6fe(jj^^2j) < A 

and it follows that < crfej(6i, .■.,bk)< [fjbi ■ . . . ■ bk < ([fc/2])^i ■ ■ . ■ ■ bk < A. 
It remains to prove that g can be completely factored in the stated time. We first 
need a "small" prime p not dividing aj, and such that gp is squarefree, gp being 
the reduction of g modulo p. An upper bound for such a p is given in 'I65 (3.9): 

fc 1 

p = 0{kliik + kln\g\), where \g\ := (1 + ^i)^- Verifying that p = 0((lnd)^) 

i=i 

is straightforward. Let a = a'^^{p), e = [j^l ■ We factor completely agp with 
the Berlekamp algorithm in 0{k{k + p){k\np)^) = 0((lnc?)^(lnlnd)^) determinis- 
tic time (cf. theorem 7.4.5 of [5]). Then we lift this factorization to the factor- 
ization Y[ + b~^) modulo p'^ with the Hensel algorithm in 0{ke{klnp)'^) = 

l<i<k 
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0((ln(i)^(lnlnd)^) deterministic time (cf. theorem 7.7.2 of [5j). Finally, we com- 
pute hi {p"^) for every i. This finishes the proof, as each hi is less than p^. □ 

Proof of theorem \8.1\ We find the complete factorization of n using the algorithms 
associated with lemmas 18.31 18.41 and 18.51 The running time bound of our recursive 
procedure is obviously less than L(n,max(l — a, (1 — 0)j)y^°^^^ ■ It remains to 
minimize max(l — a, (1 — (3)^) over the set 

{(a,/3,7) : 0<a<l,0</?<i,0<7<l,l-/3> a, (1 - - 7) < 1 - a}. 

Some easy calculations show that the minimmn is i, reached for a = |, /? = 
7=i □ 

Remark 8.6. The above method reduces the factorization of Carmichael numbers 
n to the factorization of n — 1 in less than L{n, ^Y^"^^^ deterministic time. 
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